Friday, August 17, 2018

XAttacker Tool – Scan and Auto Exploit Web Vulnerabilities

XAttacker is a perl tool capable of scanning and auto-exploiting vulnerabilities in web applications. By providing a target website to the tool, it auto detects its’ architecture if using a Content Management Service (CMS) and tries to find vulnerabilities based on the detected CMS. Currently supported CMS include WordPress, Joomla, Drupal, PrestaShop, and LokoMedia.

 

How to Install the Tool?

 

XAttacker can be installed by cloning the setup from Github repository using the following command.

git clone https://github.com/Moham3dRiahi/XAttacker.git
 
The cloning process may ask for a username and password to proceed. Another option to get the tool is to download the ZIP file from the github repository and extract the files. The unzipped files can be viewed by following the XAttacker’s downloaded folder path and list the folder items using the following command. The folder must contain the XAttacker.pl file.

cd XAttacker-master
ls

 

Scan and Exploit with XAttacker

Using XAttacker is pretty simple. First of all, save the target website(s) in a text file. In the next step, run the tool using the following command.
perl XAttacker.pl
The above command runs the tool and asks to select one of two options regarding the target website list. Select the appropriate option and provide the path to the file containing the target website(s) created earlier. For demonstration purposes, we have added the target website in a file named as ‘mylist’, saved on the desktop.

 

If the target website contains the supported CMS, the tool starts exploring the possibilities of exploiting the website based on vulnerabilities in the pre-defined set of resources. For instance, in a WordPress website, the tool searches for vulnerabilities in resources like plugins, forms, php code, and specific themes. Similarly, in Drupal, the tool looks for Admin panel vulnerabilities. If there is no vulnerability found in the targeted website, the tool returns to the initial step.

 

However, if XAttacker finds a vulnerability, it exploits that automatically if the attacker chooses to do so. XAttacker could be useful for red team exercises in particular.





 


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Most Important Network Penetration Testing Checklist

Network Penetration Testing determines vulnerabilities in the network posture by discovering Open ports, Troubleshooting live systems, se...